Mid-size organizations face most of the same security risks as their larger competitors, but recent studies show they are targeted by cyber criminals more frequently than their larger counterparts.

A recent Ponemon Institute survey of more than 1,000 IT professionals in North America and the U.K. found that more than 61 per cent of SMBs had been breached in the past year. That’s a six per cent increase from 2016. Perhaps more concerning for the breached firms, the average quantity of data stolen nearly doubled to 9,350 records, compared to 5,079 in 2016.

Why are mid-size firms being targeted?
Mid-size firms (defined as $10m to $500m in revenue) have less time, money and resources to dedicate to security. That makes them a juicy target for bad actors, who are always looking to get the best bang for their buck. Mid-size companies are particularly attractive to attackers because they collect more data than do small firms. At the same time, mid-size companies generally have less robust security in place than larger firms. And insecure mid-sized companies can serve as gateways to larger companies.

There are a number of specific areas where small- and mid-sized companies are vulnerable, including but not limited to:

Website: Not enough money is dedicated to securing and maintaining the security of their website(s).

Password policy: A lack of a comprehensive password policy, with little to no focus on password length and/or whether two-factor authentication is needed.

Employees and former employees: Not enough thought going into what happens to devices (laptops, smartphones, etc.) when employees leave.

Connected devices: Insufficient security measures are put in place to prevent lateral attacks, such as network access through printers.

According to a 2016 survey by the National Centre for the Middle Market more than half of US middle market companies do not have an up-to-date strategy to address cyber-security risks. Thirty per of the respondents indicated they had no action plan at all.

Botnet prevalence by firm size

According to the Fortinet 2017 Q3 Trend Report, an analysis of botnet attacks on firms of all sizes showed a distinct concentration of mid-size firms victimized. While this spike is not unique to this quarter, it unlikely that these results represent hard and fast rules. Any firm, of any size, can be infected with any botnet, but based on the instances found in the study, organizations may be susceptible to certain types of threats based on demographic factors like employee size. Similar differences and similarities among industry sectors and geographic regions have been shown in previous reports Fortinet released.

What can mid-sized firms do to protect themselves?

Acknowledging and understanding the risk they face is a significant step mid-size firms can take in protecting themselves against attacks, but the acknowledgment and understanding must permeate beyond the IT department well into the C-suite and various other departments. Everyone within an organization, from small to large, must take responsibility to protect the data that is being targeted in attacks. Mid-size firms must be especially vigilant.

You can find out more about why mid-size firms are at an increased risk of being attacked by downloading Fortinet’s 2017 Q3 Trend Report .